On Mon, 3 Mar 2008, Kenneth Van Wyk wrote: > So here's a question to ponder. Now that PCI DSS 1.1 is out there (save a > couple June 2008 deadlines still looming), has it been good or bad for > software security as a whole?
It's a wash. And that only because PCI has mild good effects, to counteract "The Business" using it as a bludgeon to get some other concessions they want from various IT departments. Let's face it, current management and business practice is to regard all programmers as plug-compatible, and to put all their emphasis on the unattainable Holy Grail of "repeatable processes" (http://www.idiom.com/~zilla/Work/Softestim/softestim.html and http://www.idiom.com/~zilla/Work/kcsest.pdf). Maybe they need "repeatable processes" if they outsource to guys who can just barely spell "Java", but that's really another rant. In any case, the same management that puts all its faith in the prima facie nonsense of "repeatable processes" just did some checklist-style PCI remediation, implementing it without wisdom or imagination. Management, thy name is "CYA". They hired the minimum bid network scanners, who really didn't do much, but did turn in a spectacularly-well-formatted "Word" doc with lots of buzzwords in it. "The Business" put whatever effort is left over after plotting Corporate Domination (none) into understanding the PCI remediation checklist, and now believes that security is well taken care of, now and forever. PCI compliance is like boycotting gas stations for a day: that day's sales look pitiful, bu over the course of a week, it will all even out, since "compliance" gives "The Business" a false sense of security. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________